CoSync Auth #
What is CoSync Auth? #
CoSync Auth is an authentication solution for developers creating applications using MongoDB Realm. It utilizes JSON Web Tokens - JWT, an industry-standard RFC 7519 method for representing claims between two parties. CoSync Auth ensures secure user authentication and identity management via an RSA encrypted public/private key protocol, which it administers on behalf of the developer.
JWT authentication utilizes public/private key encryption. The CoSync Auth provider generates and signs JWT authorization tokens using a private key that is exclusive to the developer. The MongoDB Realm App Service retains the public key to validate the integrity of the JWT authorization token. Apart from generating JWT authorization tokens, the CoSync Auth provider also provides additional authentication services such as user registration, two-factor verification, user management, signup, and invitation functions.
The CoSync Auth authentication system’s purpose is to manage routine user authentication and onboarding processes for a MongoDB Realm client application. Additionally, it serves as a centralized hub for managing application users and analyzing signup and invitation patterns. Since JWT tokens employ RSA public/private key encryption, orchestrating a man-in-the-middle attack between the CoSync Auth authentication provider and its dependent MongoDB Realm application would be extremely challenging.
MongoDB suggests JWT authentication as the optimal method for authenticating users into a Realm Platform application. CoSync Auth is designed to be a straightforward service aimed at saving developers time when implementing this functionality.
Terms and Definitions #
The CoSync Auth provider is mainly focused on catering to developers by providing a secure and robust JWT authentication mechanism for their applications. The service consists of two components:
- CoSync portal website
- CoSync REST Service for MongoDB Realm applications
To utilize the service, a developer needs to create an account via the CoSync Portal website at CoSync Portal.
The CoSync Portal website’s main role is to handle user authentication and authorization for MongoDB Realm applications and to administer access to the CoSync AssetLink module. The CoSync Portal offers a clear web interface for developers to administer application users.
The CoSync REST Service delivers a runtime service that enables a MongoDB Realm desktop or mobile application to carry out user authentication.
Social Login #
In addition to facilitating secure email/username login, the CoSync Auth system also accommodates various social login protocols for identity management. Currently, CoSync Auth offers a unified solution for:
- Apple ID sign in
- Google sign in
Given that these social logins are directly supported by the CoSync Auth server, developers find it considerably easier to incorporate them into their operational applications.
What makes CoSync Auth secure? #
The answer lies in RSA public/private key encryption. The RSA standard is sufficiently secure, preventing simple brute force attacks and serving as the foundation for cryptographic signatures in blockchain and all cryptocurrencies. Asymmetric RSA encryption operates on a straightforward principle: if a message is encrypted (or signed) with a private key, it can only be decrypted with a single public key - the corresponding pair to the private key. In the JWT standard, the payload is not encrypted; the only encrypted portion is the signature, which is generated by running an RS256 encryption hash using a private key on the header and payload of the JWT token. This signature assures the MongoDB Realm App Service that the JWT token originated from the CoSync Auth system, and not from any malicious third party.
JSON Web Tokens (JWT) is the secure method through which the CoSync Auth service provides identity management to a MongoDB Realm application. The CoSync Auth service stores a user’s handle and password in an encrypted database. When an application needs to validate a user’s credentials, it delegates this task to CoSync Auth. Initially, the user’s handle and password are validated against the credentials stored in the database. Secondly, CoSync Auth can confirm the user’s identity through Google’s two-factor authentication service or by sending a code to the user’s verified phone number. Once the user’s credentials have been verified, the CoSync Auth REST service signs a JWT token with the application’s secret private key, which is kept confidential.
Since the CoSync Auth system holds the secret private key, a MongoDB Realm application instance configured with the corresponding public key is assured that only the CoSync Auth system could sign the authenticating JWT tokens on behalf of the application users. For a malicious system to produce counterfeit tokens, it would have to gain access to the private key, which is stored in an encrypted form on the CoSync Auth server database.